1 Answer
1

What you've heard is not accurate. CBC is secure, if used properly. OpenVPN does use CBC mode correctly. Generally speaking, OpenVPN is very well designed, and you shouldn't need to worry about this. You shouldn't need to change the default settings for cryptographic algorithms.

In fact, CBC mode is the default mode of operation for OpenVPN, so you do not need to change anything; you can just stick with the defaults, and I recommend you do so.

OpenVPN also supports CFB and OFB modes, but those modes have no advantages over CBC mode (and OFB mode has some potential disadvantages). Therefore, I think OpenVPN's default of CBC is a reasonable and sensible choice.

OpenVPN supports many symmetric-key algorithms. The default is Blowfish, bu tit also supports DES, 3DES, DESX, RC2, CAST5, AES, CAMELLIA, and SEED. Blowfish is a fine choice. AES would be arguably the more conservative, conventional choice, but frankly either Blowfish or AES is fine. I would definitely avoid single-DES (or anything that is listed as a 40-bit or 64-bit key), and I would try to avoid RC2, CAMELLIA, SEED, CAST5, and DESX if I could -- but this is a detail. In any case, OpenVPN's defaults are fine, so I suggest you just stick with them, rather than try to tweak them.

A comment for the future: If you want us to comment on a recommendation from someone else, it helps if you can link to the primary source. (You didn't tell us where you got the recommendation to use CBC mode in OpenVPN.) This time I was able to work out what you meant, but for the future, this might be helpful if you post other questions.